[GH-ISSUE #1216] 2025 Nov. Authorization Migration #710

New issue

Closed

opened 2026-02-28 00:01:05 +03:00 by kerem · 2 comments

kerem commented

2026-02-28 00:01:05 +03:00

Owner

Originally created by @glass-ships on GitHub (Oct 15, 2025).
Original GitHub issue: https://github.com/spotipy-dev/spotipy/issues/1216

According to a recent blog post, all applications will need to update their authorization workflow.
Is this migration being accounted for by spotipy? Will users need to make any changes in our code that uses spotipy for authorization?
Based on the javascript code shown in the migration guides linked above, users need to create a base64 encoded, sha256 hashed, random 64 character string to pass as part of a code challenge in any request URLs. From reading the spotipy documentation, it was not clear to me if this functionality already exists.

Thanks!
</glass>

Originally created by @glass-ships on GitHub (Oct 15, 2025). Original GitHub issue: https://github.com/spotipy-dev/spotipy/issues/1216 According to a recent [blog post](https://developer.spotify.com/blog/2025-10-14-reminder-oauth-migration-27-nov-2025), all applications will need to update their authorization workflow. Is this migration being accounted for by spotipy? Will users need to make any changes in our code that uses spotipy for authorization? Based on the javascript code shown in the migration guides linked above, users need to create a base64 encoded, sha256 hashed, random 64 character string to pass as part of a code challenge in any request URLs. From reading the spotipy documentation, it was not clear to me if this functionality already exists. Thanks! \</glass>

kerem

2026-02-28 00:01:05 +03:00

closed this issue
added the
question
label

kerem commented

2026-02-28 00:01:06 +03:00

Author

Owner

@dieser-niko commented on GitHub (Oct 15, 2025):

Hi there,
Spotipy had already implemented the necessary authorisation workflows before any changes were even announced by Spotify.

If your application still uses localhost or HTTP as a callback URI, or uses the implicit grant flow as described in the blog post, that is your concern.

We can't announce this change to the general public as we don't have any means of making public announcements to which users have subscribed. There is already a warning in place for these methods (see example), and after Spotify has fully removed the functionality, we will do the same.

@dieser-niko commented on GitHub (Oct 15, 2025): Hi there, Spotipy had already implemented the necessary authorisation workflows before any changes were even announced by Spotify. If your application still uses localhost or HTTP as a callback URI, or uses the implicit grant flow as described in the blog post, that is your concern. We can't announce this change to the general public as we don't have any means of making public announcements to which users have subscribed. There is already a warning in place for these methods (see [example](https://github.com/spotipy-dev/spotipy/blob/a91d9feb516a4360503dca9cfe63a35927b9befa/spotipy/oauth2.py#L447L451)), and after Spotify has fully removed the functionality, we will do the same.

kerem commented

2026-02-28 00:01:06 +03:00

Author

Owner

@glass-ships commented on GitHub (Oct 15, 2025):

Oh nice, ok! thanks for the heads up, I appreciate it

@glass-ships commented on GitHub (Oct 15, 2025): Oh nice, ok! thanks for the heads up, I appreciate it